Comments 0

Presentation transcript

Data Center Security Overview

Dr.Natheer

Khasawneh

ZiadBashaBsheh

Data Center Security Overview

Provides an overview of the typical security issues that affect DCs andpresents the general guidelines to secure DC in a systematic manner thathelps maintain as adequate security level as the DC evolves.

these attacks exploit the trust relationships thatcomputer systems have to communicate.

-

Communications in networked environments are always based on trust.For example; when a web-server communicates with a back end database.

•Session Hijacking–

consists of stealing a legitimate session establishedbetween a target and trusted host.

-Ex:IP spoofing, TCP SYN/ACK.

•Buffer overflow attacks–

occurs when a program allocates memorybuffer space beyond what it had reserved.

Vulnerabilities & Common Attack(cont)

Common attacks

–

(Continued…)

•Layer 2 attacks–

exploits the vulnerabilities of data link layer protocolsand their implementations on layer 2 switching platforms, one of thecharacteristics of layer 2 attacks is that the attacker must be connected tothe same LAN as the victims.

-Ex:Address Resolution Protocol (ARP) Spoofing, MAC Flooding.

Network Security Infrastructure

The network security infrastructure includes the security tools used in theData Center to enforce security policies. The tools include packet-filteringtechnologies such as ACLs and firewalls and intrusion detection systems(IDSs) both network-based and host-based. The following sections discussthese security tools.

•ACLs–

are filtering mechanisms explicitly defined based on packet harderinformation to permit or deny traffic on specific interfaces.

An ACL is typically set up as a list that is applied sequentially on thepackets until a match is found.

Network Security Infrastructure(cont)

•FireWalls–

are a sophisticated filtering device that separates LANsegments.

The considerations are as follows:

•Performance,

•Application support,

There are different types of firewalls based on their packet-processingcapabilities and their awareness of application-level information:

•Packet-filtering firewalls.

•Proxy firewalls.

•Stateful

firewalls.

•Hybrid firewalls.

Network Security Infrastructure(cont)

•IDSs–

are real time systems that can detect intruders and suspicious activities andreport them to a monitoring system.

IDSs have two fundamental components:

•Sensors, Appliances and software agents that analyze the traffic on the network or theresource usage on end systems to identify intrusions and suspicious activities. Sensors canbe network-based or host-based.

•IDS management, Single-

or multi-device system used to configure and administer sensors and toadditionally collect all the alarm information generated by the sensors

Typical IDS response Actions

Most IDSs are capable of responding to identified security incidents using specificmechanisms:

•IP session Login–

This response is the least aggressive response and consists oflogging the entire IP session that corresponds to a detected intrusion.

•TCP rests-

you can configure the IDS to generate TCP rests on behalf of a victimsystem.

•Shunning or blocking-

The IDS can instruct a network device such as a router, switch,or firewall to dynamically apply an ACL to block the traffic coming from an attacker.

Network Security Infrastructure(cont)

•Layer 2 Security–

components:

•Port Security,is a feature that permits you to configure a switch port to onlyaccept packets coming with a trusted source MAC address.

•ARP Inspection,is a feature that lets you specify the mapping between thedefault gateway IP address and its MAC address, this process prevents ARPspoofing attacks known as man-in-the-middle attacks.

•Cryptography,is simply the science of encryption and decrypting information,secure transactions from client to server, secure communication between a user andmanaged device, and secure communication channel between two sites, and so on.

Cryptography is typically associated with :

•Confidentiality.

•Integrity.

•Nonrepudiation.

•Authentication.

•Antireplay

protection.-

used at the IP packet level to ensure that packersare not intercepted, modified, and inserted back in the communicationstream between client and server.

Security Fundamentals(cont)

Data Center security uses encryption with two primary purposes:

•To protect the confidentiality of user’s data

•To secure the communications over the management infrastructure

Encryption algorithms:

•Symmetric encryption.

Security Fundamentals(cont)

Encryption algorithms:

•Asymmetric encryption.For Confidentiality

Security Fundamentals(cont)

VPN–

Virtual Private Networks.

Described as a virtual link between two entities that allows them to communicatesecurely over a public network like the internet.

VPN use tunneling technologies combined with encryption and authenticationservices.

There are two main applications for VPN:

•Site-to-Site-

provides the communication between two distinct locationsusing routers or VPN concentrators.

•Remote access-

allows remote users to access a central location via a securecommunication channel between end users and VPN router or VPN concentrator.

Security Fundamentals(cont)

AAA.

AAA is a framework that defines the control of access to network resources suchas those in Data Centers (routers, switches, firewalls, servers, and so on).

AAA provides three basic services:

•Authentication–

proves that a user is who she or he claims to be.

•Authorization-

Defines what a user is allowed to do.

•Accounting

–

Consists of keeping records of user activity.

Data Center Security Framework

Data Center Security Framework.

This section explains the key components of a sound security framework from asystem-planning perspective. Because the details of applying these componentsto the network are driven by the particular business needs of an organization

•Security Policies-

The security policy defines what activities areconsidered acceptable or unacceptable by the organization.

•Security Life Cycle–

is the constant evaluation cycle that refinesthe state of security readiness and adapts the security policy to thenetwork architecture.

Data Center Security Framework(cont)

The following security life cycle is often quoted and well understoodin the security industry:

•Assess

•Design

•Deploy

•Maintain

Data Center Security Framework(cont)

•Assessment–

The process of auditing, testing, and verifying the systemvulnerabilities through risk analysis.

•Design-

The process of applying the security policy and requirement resultingfrom the assessment process to the security design.

•Deployment-

The process of the implementing the specific security designrecommendation into the network architecture.

•Maintenance-

The process of keeping the application of security policiesconsistent through out the network by monitoring that the best practices andrecommendations, are in effect.

Data Center Security Framework(cont)

Secure Management Framework:The following steps help you formore securing: